CVE-2025-54589
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-31

Last updated on: 2025-09-22

Assigner: GitHub, Inc.

Description
Copyparty is a portable file server. In versions 1.18.6 and below, when accessing the recent uploads page at `/?ru`, users can filter the results using an input field at the top. This field appends a filter parameter to the URL, which reflects its value directly into a `<script>` block without proper escaping, allowing for reflected Cross-Site Scripting (XSS) and can be exploited against both authenticated and unauthenticated users. This is fixed in version 1.18.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-31
Last Modified
2025-09-22
Generated
2026-05-07
AI Q&A
2025-07-31
EPSS Evaluated
2026-05-05
NVD
CVE-2025-54589
EUVD
EUVD-2025-23272
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
9001 copyparty to 1.18.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a reflected Cross-Site Scripting (XSS) issue in Copyparty versions 1.18.6 and below. When users access the recent uploads page and use the filter input, the filter parameter is directly inserted into a script block in the page without proper escaping. This allows attackers to inject malicious scripts that run in the context of the user's browser, affecting both authenticated and unauthenticated users. The issue is fixed in version 1.18.7.


How can this vulnerability impact me? :

The vulnerability can allow attackers to execute arbitrary scripts in users' browsers, potentially leading to theft of sensitive information, session hijacking, or performing actions on behalf of the user. Since it affects both authenticated and unauthenticated users, it can be exploited to compromise user data and the integrity of the application.


What immediate steps should I take to mitigate this vulnerability?

Upgrade Copyparty to version 1.18.7 or later, as this version contains the fix for the reflected Cross-Site Scripting (XSS) vulnerability in the recent uploads page. Until the upgrade is applied, restrict access to the recent uploads page or disable the filter input field to prevent exploitation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart